Cyber Terrorism Part 3 – Convention without caveats? by Mike Gillespie & Ellie Hurst

The first international agreement limiting the use of chemical weapons dates back to 1685. France and Germany came to an agreement, signed in Strasbourg to prohibit the use of poison bullets. Around 200 years on and the next attempt at agreement came out of Brussels. The Brussels Convention on the Law and Customs of War prohibited the use of poison, poisoned weapons, arms, projectiles or material to cause unnecessary suffering. It was never put into force. Next came the Hague Convention in 1899 where contracting parties agreed to abstain from the ‘use of projectiles which had the sole objective of the diffusion of asphyxiating or deleterious gases’. It was augmented in 1907 with poisons and poisoned weapons. In spite of all this, the First World War saw the extensive use of toxic chemical weapons. Over 90,000 soldiers died horrible deaths as a result and probably a million more left blind, disfigured or debilitated, as around 124,200 tonnes of agents were released over the period 1915-18 (the first use was Belgium April 1915).

These horrors provoked outcry and from this outcry was born the 1925 Protocol for the Prohibition of the Use of Asphyxiating, Poisonous or Other Gases and of Bacteriological Methods of Warfare, better known as 1925 Geneva Protocol. But there were loopholes and the Protocol did not ban the development, production or possession of chemical weapons (imagine a cyber weapon at this point and it is OK to build an EternalBlue) but you couldn’t use those weapons in warfare (think of a cyber weapon but you promise not to use it). Also many of the countries who signed up reserved the right to use their weapons on those that hadn’t signed up. In the run up to World War two, UK and Germany (and probably many others) started to stockpile chemical weapons again. Thankfully, although there was a huge loss of life and crimes committed against humanity, neither chemical or biological weapons were used and the 1925 Geneva Protocol appeared to have established an accepted norm of international law.

The international community further reinforced the ban in 1972 – the Biological Weapons Convention or the Biological and Toxin Weapons Convention which prohibited the development, production, stockpiling, acquisition, retention and transfer of such weapons, including their delivery systems, and required their destruction.  It also required the enactment of national legislation to enforce its prohibitions.

In 1993 the Chemical Weapons Convention extended the 1925 Protocol from use to include the development, production, stockpiling, retention and transfer of chemical weapons, including their delivery systems. It also covered their destruction.

Since then, there has continued to be widespread international support for these bans, and restraint has been seen in nearly all of the hundreds of armed conflicts that have taken place since the original 1925 Protocol.  Sadly however we have seen both chemical and biological weapons deployed in a small number of conflicts and internal ‘civil’ suppressions, such incidents being met by International condemnation and in some cases prosecutions.  Despite this, more recently we have seen the threat of the use of toxins like ricin by terrorist groups and, allegedly the assignation of dissidents by Russia using radiation and the Salisbury Novichok nerve agent attack.

But what, I can hear you wondering, has all this got to do with Cyber?

Well, if you can cast your mind back to where we started with all of this…………………

Links between transnational organised crime groups (TOC) and terrorist groups are emerging and indeed appear to be ‘outsourcing’ to each other. Ideology apparently takes a back seat when procuring certain cyber skills

Meanwhile, the current cyber landscape is the new cold war, but there isn’t one nation behind this, the whole world is in a standoff. We are in a situation that could best be likened to an international Cuban missile crisis and we are all waiting to see who blinks first

Nation states are developing hostile cyber offensive capabilities, and some are known to be stockpiling cyber weapons, essentially researching and developing diseases for military use against other nation states, and at the same time are inhibiting the effective development of a vaccine.

All of this, without any real movement towards the implementation of an international (cyber) Biological and Toxin Weapons Convention

What does that mean from a legal and an ethical standpoint? Does the international community really want to wait for the cyber equivalent of the gassing of the trenches before it is prepared to take the development, stockpiling and potentiality, use of a cyber weapon of mass destruction?

If that last seems far fetched or over the top, you need only cast your mind back a couple of years to the global effect of Wannacry, to the physical damage caused by weapons such as Stuxnet; a weapon now widely available at relatively low cost on the internet and so on.  A decade on and we see its coding fingerprint on a wide range of malwares in play today. This is because it was a quality piece of work, for want of a better phrase and quality has a long half life…

Looking forward, the possibility of the convergence of new developing technologies such as Artificial Intelligence as an extension to the cyber weaponry capability, should fill us all with a chill.

A Cyber Weapons Convention would seem to be the only way to halt this current and alarming arms race. For it to be successful though, it must be signed up to by the major players, the same major players who have refused to be signatories to date to any such agreement. Moreover, it must be enforced.

A failure to do anything could well be catastrophic and result in not just national, but international carnage on a scale never seen before.

Mike Gillespie

MD of Advent IM, C3i Group on cyber security, cybercrime and cyber intelligence, Mike is also cyber spokesperson for the International Institute of Risk and Safety Management (IIRSM) and the Cyber Security lead adviser for UK Government’s, Surveillance Camera Commissioner.

Ellie Hurst

Head of MarComms & Media for Advent IM, Ellie is also a recognised and respected speaker on the UK conference circuit, an Associate of the Security Institute and Institute of Information Security Professionals.